b"March 22, 2002\nAudit Report No. 02-008\n\n\nThe FDIC\xe2\x80\x99s Efforts To Implement a\nSingle Sign-on Process\n\n\n\n\n              1\n\x0c    Federal Deposit Insurance Corporation                                                             Office of Audits\n    Washington, D.C. 20434                                                                Office of Inspector General\n\n\n\n\nDATE:                               March 22, 2002\n\nMEMORANDUM TO:                      Carol M. Heindel, Acting Director\n                                    Division of Information Resources Management\n\n\n\nFROM:                               Russell A. Rau [Electronically produced version; original signed\n                                    by Russell A. Rau]\n                                    Assistant Inspector General for Audits\n\nSUBJECT:                            Final Report Entitled The FDIC\xe2\x80\x99s Efforts To Implement a Single\n                                    Sign-on Process (Audit Report No. 02-008)\n\n\nThe Federal Deposit Insurance Corporation\xe2\x80\x99s (FDIC) Office of Inspector General (OIG) has\ncompleted an audit of the FDIC\xe2\x80\x99s limited efforts to implement a single sign-on (SSO) process for\naccessing the Corporation\xe2\x80\x99s information technology (IT) resources. The SSO process refers to\nan access method that allows users to access multiple systems using only one password. We\ninitiated this audit to evaluate the internal controls over the FDIC's planning and implementation\nof the SSO process. The FDIC\xe2\x80\x99s Division of Information Resources Management (DIRM) 1\noriginally requested $4.1 million to implement a corporate-wide access control process. Year\n2000 funding for the project was approved for $1.6 million.\n\nIn April 2000, DIRM initiated the development of SSO for its Extranet-accessible applications 2\nas a pilot project for examining the feasibility of providing SSO capabilities. Our audit focused\non\n(1) the FDIC's planning and implementation of SSO for its Extranet-accessible applications and\n(2) the Corporation\xe2\x80\x99s ability to make an informed decision regarding corporate-wide\nimplementation of SSO based on the pilot project. A detailed discussion of the scope and\nmethodology of our audit is included in Appendix I.\n\n\n\n\n1\n  DIRM has the responsibility of developing, maintaining, and providing security for the FDIC\xe2\x80\x99s information technology\nresources\n2\n  The Extranet-accessible applications involved are internal Division of Supervision mainframe applications that\nare available to the examiners for the state and other federal financial regulatory agencies based on permissions\ngranted by the FDIC. The applications are the Non-Deposit Investment Products System, the Statistical CAMELS\nOff-site Rating, the Examiner Download System, the Custom Download, the Performance Reports Online, and the\nCommunity Contacts.\n\x0cBACKGROUND\n\nBefore beginning the development of a corporate-wide access control process, the Corporation had\ndifficulty in documenting and controlling system access because of the many users, both internal\nand external, with access to multiple systems. The FDIC required that some external users obtain as\nmany as three passwords to access a system. The General Accounting Office (GAO) had identified\nthe need for better controls over user access during the audit of the FDIC\xe2\x80\x99s 1999 financial\nstatements. To streamline the user access process and partially address GAO\xe2\x80\x99s user access\nconcerns, the FDIC began planning to implement an SSO process.\n\nDIRM originally requested $4.1 million to develop and implement a corporate-wide access control\nprocess. DIRM\xe2\x80\x99s original purpose in developing such a control process was to eliminate the\nredundant sign-on procedures for a user to access multiple applications and to streamline password\nmanagement. Year 2000 funding of $1.6 million was approved to initiate the corporate-wide access\ncontrol project.\n\nIn April 2000, DIRM initiated an SSO pilot project for Extranet users to determine the feasibility\nof and methods for effectively implementing SSO for the entire Corporation. Before the\nimplementation of SSO, Extranet users were required at a minimum to have a user ID, valid\ncertificate, 3 and two passwords to access specified FDIC applications. With SSO in place,\nExtranet users could now access these resources with a user ID, valid certificate, and a single\npassword. DIRM expected that the implementation of SSO for all of its applications would\nreduce the number of user ID and password combinations managed corporate-wide.\n\nDIRM used the services of a contractor to develop and implement SSO for the Extranet-\naccessible applications. The SSO pilot was placed in production in March 2001. SSO project\ncosts through the issuance date of this report were approximately $1.4 million.\n\nThe September 1999 SSO project plan was developed by DIRM\xe2\x80\x99s Information Security Section\nfor a corporate-wide implementation of SSO and included two basic functional requirements:\n(1) an efficient, reliable, and centrally-managed user access process for all of the FDIC\xe2\x80\x99s\ncomputing environments and (2) a secure and reliable Extranet and internal system access\nprocess using a single log-on transaction. The plan described the benefits of SSO as (1)\nenhanced usability and reliability of the FDIC Extranet, (2) improved corporate capability to\ncontrol user access privilege assignments, (3) standardized access controls across all the FDIC\xe2\x80\x99s\nenvironments, and (4) reduced costs of operating multiple access control systems. The project\nplan also included a description of the access control environment in place at the time and a\ncomparative analysis of the capabilities of three SSO vendor products. The SSO project team\ndid not tailor the original SSO project plan to take into account that a pilot project was being\nconducted to determine whether a corporate-wide SSO solution should be pursued. The SSO\nproject team instead prepared a project schedule using Microsoft Project4 to manage the tasks to\nbe performed during the implementation of the pilot SSO process. The project schedule\ndescribed the tasks to be performed and the staff responsible for those tasks. DIRM\n3\n    A certificate is an electronic document used to identify an individual, company, or entity.\n4\n  Microsoft Project is an application that provides a project manager with the ability to schedule, organize, and analyze\ntasks, deadlines, and resources.\n\n\n                                                             2\n\x0crepresentatives also prepared a separate document that identified the budget for the pilot SSO\nproject.\n\n\nRESULTS OF AUDIT\n\nProject planning for the SSO pilot was not adequate. Specifically, DIRM did not integrate into\none document pertinent factors associated with the project, develop the methodology or\nmeasures needed to effectively assess the project team\xe2\x80\x99s implementation of the project, evaluate\nthe outcome of the project, or identify lessons learned. DIRM also did not establish a process to\nobtain corporate-wide agreement from all FDIC divisions and offices that the SSO process\nwould be the standard access method for use of the FDIC\xe2\x80\x99s computing environment.\n\nThe SSO project team did not prepare an analysis of alternatives based on the benefit-cost of\navailable system access methods or perform a post-implementation assessment to determine\nwhether the selected SSO solution was the most appropriate method for addressing the FDIC\xe2\x80\x99s IT\naccess security needs. Without an analysis of alternatives, the SSO project team was unable to\njustify that the system access process that the team implemented was the most cost effective.\n\n\nSSO PROJECT PLANNING\n\nDIRM implemented the SSO pilot project before developing the pertinent information related to the\nproject and documenting that information. Specifically, DIRM did not integrate into one document\nthe key factors associated with the project, including IT resource requirements, the amount of funds\nbudgeted, and the relationships to other IT systems and initiatives. Additionally, DIRM did not\ndevelop the methodology or measures needed to effectively assess the project team\xe2\x80\x99s\nimplementation of the pilot project, evaluate the outcome of the project, or identify lessons learned.\nFinally, DIRM did not establish a process, before committing funds to the development of the SSO\npilot, to obtain agreement that SSO would serve as the standard system access method. The lack of\nproject documentation occurred because the SSO project team did not follow all the planning\nrequirements for information technology projects outlined in Office of Management and Budget\n(OMB) circulars and FDIC directives. Rather, the SSO project team believed that the use of\nMicrosoft Project was sufficient for project planning purposes. As a result, the SSO team was\nunable to justify the SSO method implemented, determine whether the actual results of the SSO\npilot project met the expected results, and determine whether the SSO process should be expanded\ncorporate-wide.\n\nSSO Project Documentation\n\nOMB Circular A-130, Management of Federal Information Resources, (OMB Circular A-130)\npromotes an integrated approach to IT planning. The circular states that agencies should\nintegrate planning for information systems with plans for resource allocation, including\nbudgeting, acquisition, and use of information technology. In addition, agencies must establish\nand maintain an investment control process that links mission needs, information, and\ninformation technology in an effective and efficient manner. Agencies must use a performance\n\n\n\n                                                  3\n\x0cbased management system that provides timely information regarding the progress of an\ninformation technology investment. The system must also measure progress towards milestones\nin an independently verifiable basis, in terms of cost, capability of the investment to meet\nspecified requirements, timeliness, and quality.\n\nThe SSO project team did not integrate into one document the pertinent factors associated with\nthe pilot project, such as IT requirements, amount of funds budgeted, and relationships to other\nIT systems and initiatives. Specifically, the SSO project team did not develop or maintain the\ninformation needed to (1) describe the total resources required to develop, implement, and\nmaintain the SSO process over the entire life cycle of SSO application, (2) ensure the benefit-\ncost of the project selected exceeded the benefit-cost of maintaining the status quo or other\navailable SSO alternatives, (3) establish and measure the achievement of performance goals for\nimplementing SSO consistent with OMB Circular A-130 and FDIC directives, (4) ensure that the\nSSO access process would become the corporate standard method for system access, and (5)\ndetermine whether expanded implementation of the current pilot SSO process was justified. The\nlack of documentation occurred because the SSO project team did not develop the planning\ndocuments required by corporate policy and OMB Circular A-130 before initiating the SSO\nimplementation.\n\nWithout a complete, comprehensive and documented set of information supporting the project, the\nSSO project team could not properly select from among alternatives or control and evaluate the\nsystem access approach that was pursued. The required documentation was not developed or\nmaintained because the SSO project team believed that the use of Microsoft Project was a sufficient\nmeans of monitoring the development and implementation of the SSO pilot process. Although\nMicrosoft Project can assist the project manager in monitoring a project\xe2\x80\x99s schedule, a more\ncomprehensive means of measuring costs and schedules for IT investment projects is a performance\nbased management system required by OMB Circular A-130. Without the required documentation,\nDIRM had a limited basis for measuring the effectiveness of the pilot implementation or for\ndetermining whether and how to expand the SSO process corporate-wide. During our audit, the\nSSO project team agreed that the Extranet SSO plan could have been better documented. At\nDIRM\xe2\x80\x99s request, we provided the SSO team with a list of documents that would improve the future\nplanning for SSO.\n\nPerformance Measurement\n\nOMB Circular A-130 requires that agencies establish a capital planning and investment control\nprocess that links mission needs, information needs, and IT in an effective and efficient manner.\nThe use of performance goals and indicators is a control method that measures an agency\xe2\x80\x99s\nprogress in achieving its mission and goals. To accomplish the control objective, the FDIC must\ndevelop performance plans that (1) establish the performance indicators to be used in measuring\nor assessing the relevant outputs, service levels, and outcomes of each program and (2) provide a\nbasis for capturing actual program results through the establishment of performance goals.\n\n DIRM did not develop the performance goals and indicators needed to gauge DIRM\xe2\x80\x99s progress\nin managing and monitoring the pilot SSO project. The performance measures were not\ndeveloped because the SSO project team again believed that the use of Microsoft Project was a\n\n\n\n                                                 4\n\x0csufficient means of monitoring the performance of the SSO process. As stated above in our\ndiscussion of project documentation, although Microsoft Project does provide a means for the\nproject manager to monitor a project\xe2\x80\x99s schedule, it does not provide the performance data\nrequired by OMB Circular A-130. More specific performance measures are needed to ensure\nthat DIRM develops its IT resources effectively and efficiently. Without instituting the\nperformance measures and management processes needed to monitor actual performance as\ncompared to expected results, DIRM was not able to evaluate and control the SSO development\nprocess. The SSO project team did not have the information needed to measure the project\xe2\x80\x99s\nprogress in terms of cost or the capability of the investment to meet specified requirements,\ntimeliness, and quality. Most important, the SSO project team did not implement the\nperformance measures needed to assess whether the results of the pilot project justified a\ncorporate-wide implementation. As a result, DIRM could not determine whether the SSO pilot\nproject, as implemented, met the requirement for an efficient, reliable, secure, and centrally\nmanaged SSO access process for all of the FDIC\xe2\x80\x99s internal and external computing environments\nas originally envisioned.\n\nIn addition, DIRM had no means to determine whether the original functional requirements\nwould be satisfied and the FDIC would benefit from the SSO process through (1) enhanced\nusability and reliability of the Extranet, (2) improved corporate control of user access privilege\nassignments, (3) standardized access controls across all FDIC computer environments, and (4)\nreduced costs derived from operating fewer multiple access control systems. Finally, the FDIC\ncould not demonstrate that the implementation of the SSO process would address the GAO\xe2\x80\x99s\nconcerns related to the FDIC\xe2\x80\x99s management of system access, even though doing so was one of\nDIRM\xe2\x80\x99s justifications for implementing the SSO process. 5\n\n\nCorporate-Wide SSO Use by Divisions and Offices\n\nThe SSO project team did not establish a process to obtain agreement that the proposed SSO\nprocess would serve as the Corporation\xe2\x80\x99s standard system access method. The agreement was\nneeded to ensure that all corporate applications and systems use the same sign-on process.\nWithout obtaining the agreement of all directors of divisions and offices to use the same process\nfor accessing systems, a corporate-wide SSO may not be attainable, and the implementation of\nthe SSO process may not prove cost-beneficial if additional access methods continue to be used.\n\nFDIC Circular 1240.1, Corporate Perspective in Information Technology Systems Development\nestablished policies, roles, responsibilities, and procedures to ensure a corporate perspective in\ncreating information systems. The circular applies to the development of major information\ntechnology projects that are estimated to cost more than $400,000 in 1 year or $2 million within\n5 years. The circular requires the development of a high-level impact analysis that identifies\nother parts of the Corporation affected by the implementation of the system. When the project is\n\n\n5\n  GAO\xe2\x80\x99s management letter entitled, Financial Audit: Weaknesses in FDIC\xe2\x80\x99s Information System Controls, July 17,\n2000 and based on financial statement work performed in 1999 stated that the FDIC\xe2\x80\x99s access control process did not\nadequately protect resources. Part of the FDIC\xe2\x80\x99s response to GAO\xe2\x80\x99s finding was to implement SSO to improve the\nCorporation\xe2\x80\x99s access controls.\n\n\n                                                         5\n\x0cfunded, a more detailed impact analysis is required for the project definition report (PDR). 6 The\nDirectors of all affected divisions and offices must signify approval before any major project\ncontinues. Provisions of this circular were not in effect when the SSO pilot project was initiated.\nHowever, the circular will apply if the implementation of the SSO process is expanded\ncorporate-wide.\n\n\nRecommendation\n\nWe recommend that the Acting Director, DIRM,\n\n(1) require that before initiating the corporate-wide SSO process, the SSO project team prepare a\ncomprehensive project plan that contains the following:\n\n\xe2\x80\xa2   all documentation required by OMB Circular A-130 for the selection, control, and\n    evaluation components of the capital planning and investment control process,\n\n\xe2\x80\xa2   performance goals and indicators to gauge the FDIC\xe2\x80\x99s progress in implementing the SSO\n    project plan, and\n\n\xe2\x80\xa2   a mechanism for obtaining agreement from all directors of FDIC divisions and offices to use\n    the SSO process.\n\n\nANALYSIS OF SSO ALTERNATIVES\n\nThe SSO pilot project plan did not (1) provide an explanation as to how the SSO project team\ndetermined that the SSO solution selected was the most appropriate method for addressing the\nFDIC\xe2\x80\x99s IT security concerns, (2) include a benefit-cost analysis (BCA), or (3) quantify the\nbenefits to be achieved based on the measurement of the future improvements in program\noutputs. The lack of an analysis of alternatives occurred because the SSO project team did not\nfollow the applicable IT planning circulars and directives issued by OMB and the FDIC. As a\nresult, the SSO project team could not provide adequate justification for the system access\nmethod that was implemented.\n\nOMB Circular A-130 requires that agencies demonstrate a projected return on investment that is\nclearly equal to or better than alternative uses of available public resources. Return on\ninvestment should, where appropriate, reflect actual returns observed through pilot projects and\nprototypes. The selection component of the circular also requires that BCAs be prepared and\nupdated for each information system throughout its life cycle. The BCA should provide a level\nof detail proportionate to the size of the investment, rely on systemic measures of mission\nperformance, and be consistent with the methodology described in OMB Circular A-94,\nGuidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs.\n6\n  A PDR is a deliverable of the FDIC\xe2\x80\x99s system development life cycle and addresses business needs; high-level\nfunctional, data, security, and performance requirements; project scope; technical feasibility; evaluation of alternatives;\nand the recommended alternative.\n\n\n                                                             6\n\x0cFDIC Circular 4310.1, Utilizing Cost Benefit Analysis Methodology for the Purchase or\nDevelopment of Capital Assets, dated July 17, 1998 was issued to promote efficient resource\nallocation through well-informed decision-making and to provide guidance for conducting a\nBCA. The circular also defines a capital asset to include land, structures, equipment, and\nintellectual property (including software) that have an estimated useful life of 1 year or more and\ncosting more than $3 million. A DIRM policy memorandum entitled Instructions for Performing\nCost Benefit Analyses, dated April 25, 2001 was also issued to ensure that more realistic BCAs\nare performed for future IT projects.\n\nThe SSO project team did not develop a BCA and perform an analysis of alternatives before\ninitiating the SSO pilot project as required by OMB Circular A-130 and FDIC Circular 4310.1.\nSpecifically, the SSO project team did not consider other alternatives for accomplishing the\nFDIC\xe2\x80\x99s system access needs before opting to pursue SSO. Some of the system access methods\nthat were not considered before initiating the SSO project included: maintaining the present\nsystem access method with improved internal controls; password synchronization, 7 also know as\nsame sign-on; and SSO with the FDIC\xe2\x80\x99s in-house public key infrastructure (PKI) 8 software.\n\nAlthough the SSO project plan stated that implementing SSO would reduce the costs of\noperating multiple access control processes, the plan did not quantify the benefits to be achieved\nthrough the implementation of the SSO process. Because it did not perform a BCA and analysis\nof alternatives, the FDIC cannot determine if it is making the best use of its investment funding\nor determine with any certainty whether SSO is the best alternative for meeting the Corporation\xe2\x80\x99s\nsystem access needs.\n\n\nRecommendation\n\nWe recommend before proceeding to a corporate-wide SSO process, the Acting Director, DIRM,\n\n(2) require the SSO project team to develop a BCA for all available alternatives that meet the\nFDIC\xe2\x80\x99s system access needs and select the alternative that provides the best use of the\nCorporation\xe2\x80\x99s funds.\n\n\nSSO POST-IMPLEMENTATION ASSESSMENT\n\n\nThe SSO project team did not develop the benchmarks and goals needed to measure the benefits\nachieved through the implementation of the SSO process for the Extranet users of the five DOS\nsystems. As a result, the project team was unable to perform a post-implementation assessment\nto determine whether DIRM should expand the use of the SSO process corporate-wide.\n\n7\n  Password synchronization ensures that a user accesses all systems with the same ID and password.\n8\n  A public key infrastructure is a system of hardware, software, policies, and people that, when fully and properly\nimplemented, can provide a suite of information security assurances that are important in protecting sensitive\ncommunications and transactions.\n\n\n                                                            7\n\x0cOMB Circular A-130 requires post- implementation reviews of information systems as part of\nthe evaluation component of the capital planning process. The purpose of these reviews is to\nvalidate estimated benefits and costs and to document effective management practices for\nbroader use.\n\nThe project team\xe2\x80\x99s lack of performance measures occurred because the SSO project team did not\ndevelop or maintain an SSO performance plan to measure benefits achieved with the SSO\nprocess. Because the Corporation has not yet decided upon the future course of the SSO effort,\nthe SSO project team would be well served to collect system access data, statistics, and costs\nrelated to both the pre- and post- pilot SSO implementation. With such information, the SSO\nproject team could prepare a lessons learned analysis and perform a post-implementation review\nof the SSO process for the Extranet accessible applications. These two analyses would be of\nparticular use in determining whether SSO should be implemented corporate-wide.\n\n\nRecommendation\n\nWe recommend that the Acting Director, DIRM,\n\n (3) require that the SSO project team perform a lessons learned analysis based on a post-\nimplementation assessment of the SSO pilot project to determine whether a corporate-wide\nimplementation of the SSO process is justified.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn March 14, 2002, the Acting Director of DIRM provided a written response to the draft report.\nManagement\xe2\x80\x99s response, without the attachment suggesting editorial changes, is presented in\nAppendix II to this report. We made several of DIRM\xe2\x80\x99s suggested editorial changes to clarify\nour discussion. DIRM stated that plans to implement a corporate-wide SSO process have been\ndeferred. The Corporation has partially concurred with recommendations 1 through 3.\nHowever, management\xe2\x80\x99s comments indicate that the proper corrective action will be taken\nshould DIRM initiate SSO again. Accordingly, we consider management\xe2\x80\x99s comments to be\nresponsive to recommendations 1 through 3. Because there are no current plans to extend the\nSSO process corporate-wide, we consider these recommendations to be resolved, dispositioned,\nand closed.\n\n\n\n\n                                               8\n\x0c                                                                                                     APPENDIX I\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to evaluate the internal controls over the planning and\nimplementation of the FDIC\xe2\x80\x99s pilot project to provide SSO for Extranet users. To accomplish\nthe audit objective, we interviewed DIRM and Division of Supervision (DOS) employees and\nevaluated the SSO implementation plan to determine if the plan complied with:\n\n\xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130, Management of Federal\n    Information Resources ; 9\n\n\xe2\x80\xa2   FDIC Circular 1240.1, Corporate Perspective in Information Technology Systems\n    Development, dated April 4, 2001;\n\n\xe2\x80\xa2   FDIC Circular 4310.1, Utilizing Cost Benefit Analysis Methodology for the Purchase or\n    Development of Capital Assets, dated July 17, 1998; and\n\n\xe2\x80\xa2    DIRM\xe2\x80\x99s policy memorandum, Instructions for Performing Cost Benefit Analyses, dated\n     April 25, 2001.\n\n\nWe also researched the Internet and audit work performed by other organizations to identify\nalternative technology that could potentially address the FDIC\xe2\x80\x99s SSO needs. We reviewed all\navailable SSO planning documents and interviewed DIRM and DOS personnel to determine (1)\nthe feasibility of the SSO process, (2) the testing methodology, and (3) whether the stated goals\nof the SSO process had been achieved.\n\nWe also determined the security impact of use of the SSO process by external users. We\nobserved the operation of the SSO process and reviewed the SSO scripts to ensure that access\nwas provided only to required resources. We performed the audit between January and October\n2001 in accordance with generally accepted government auditing standards.\n\n\n\n\n9\n   We used OMB Circular A-130 as our primary criteria either because the FDIC is required to follow certain provisions\nor because in our judgment it would be prudent for the FDIC to voluntarily adopt the nonobligatory provisions.\n\n\n\n\n                                                          9\n\x0c                                                                                    APPENDIX II\n                                        CORPORATION COMMENTS\nFederal Deposit Insurance Corporation\n\n\n\n                                                     March 14, 2002\n\n\nMEMORANDUM TO:                Russell A. Rau\n                              Assistant Inspector General for Audits\n                              Office of Inspector General\n\nFROM:                         Carol M. Heindel, Acting Director [Electronically produced\n                              version; original signed by Carol Heindel]\n                              Division of Information Resources Management\n\nSUBJECT:                      Revised Response To OIG Draft Audit Report Number 2001-904\n                              FDIC's Efforts to Implement a Single Sign-on Process\n\n\nThe Division of Information Resources Management (DIRM) has reviewed the subject draft\naudit report and we have attached a full copy with several wording changes we are requesting.\nIn addition, we are offering general comments as well as specific management decisions\nregarding the individual recommendations made in the draft audit report.\n\nGeneral\n\nDIRM\xe2\x80\x99s perspective regarding the Single Sign-On (SSO) initiative was one of investigating a\nnew security software tool for potential introduction to the Corporation, not as a systems\napplication developed under the requirements of the FDIC System Development Life Cycle\n(SDLC). While we agree that better documentation could have been maintained for all aspects\nof the project, DIRM did:\n\n\xe2\x80\xa2 issue a policy memorandum on April 25, 2001, entitled, Instructions for Performing Cost\nBenefit Analyses, to improve and ensure that more realistic cost benefit analyses (CBAs) are\nperformed for future IT projects.\n\n\xe2\x80\xa2 develop separate project documentation including project plans using the Corporate standard\nproject planning tool,\n\n\xe2\x80\xa2 conduct a review of multiple alternative vendor products based on both product functionality\nand the current FDIC infrastructure,\n\n\xe2\x80\xa2   develop lessons learned documents, as well as,\n\n\xe2\x80\xa2 submitted and processed all required project documentation for the IT budget formulation,\nreview and approval process in place at the time of the pilot effort. This included presentation\nand ranking of the initiative by the FDIC IT Technical Committee.\n\n\n\n                                                10\n\x0cThe pilot for FDIC\xe2\x80\x99s Extranet did prove beneficial to the FDIC Extranet users from the state\nbanks, eliminating duplicative id\xe2\x80\x99s and passwords. The overall decision not to proceed to any\nfurther implementation of SSO for the Corporation included several factors. First, the cost to\napply SSO across all platforms in the FDIC was prohibitive. Second, at the time of the pilot,\nsuccess in implementing SSO in both the public and private sector was virtually non-existent due\nto the cost and complexity of implementation. Finally, at the time of the pilot, FDIC was\nbeginning its effort to plan for the conversion of its network and desktop operating environments\nto the Windows 2000 and subsequently Microsoft XP environments. The timing and impact of\nthis conversion on any SSO implementation would be significant.\n\nThe draft audit report makes reference to DIRM\xe2\x80\x99s anticipated use of SSO to address GAO access\ncontrol issues. The report states that, \xe2\x80\x9c\xe2\x80\xa6 the FDIC could not demonstrate that the\nimplementation of the SSO process would address the GAO\xe2\x80\x99s concerns related to the FDIC\xe2\x80\x99s\nmanagement of system access, even though doing so was one of DIRM\xe2\x80\x99s justifications for\nimplementing the SSO process.\xe2\x80\x9d It should be noted that the SSO effort was only one of several\nefforts underway by DIRM to address GAO\xe2\x80\x99s concerns. These included other successful\nactivities such as the implementation of the Information Security Manager program and the\nassociated access control procedures for that program. SSO was not to be a \xe2\x80\x9csilver bullet\xe2\x80\x9d for all\nGAO access control issues. The fact that the pilot results ended in the termination of any\nexpansion effort beyond the FDIC Extranet, in no way minimizes DIRM\xe2\x80\x99s efforts to address\nGAO\xe2\x80\x99s access control concerns.\n\nManagement Decision Regarding Specific Recommendations\n\nWe recommend that the Acting Director, DIRM,\n\n(1) require that before initiating the corporate-wide SSO process, the SSO project team prepare a\n    comprehensive project plan that contains the following:\n\n\xe2\x80\xa2   all documentation required by OMB Circular A-130 for the selection, control, and\n    evaluation components of the capital planning and investment control process,\n\xe2\x80\xa2   performance goals and indicators to gauge the FDIC\xe2\x80\x99s progress in implementing the SSO\n    project plan, and\n\xe2\x80\xa2   a mechanism for obtaining agreement from all directors of FDIC divisions and offices to use\n    the SSO process.\n\nResponse: We partially concur with the recommendation. As previously mentioned in our\ngeneral comments, prior to any recommendations or results from this audit, DIRM had already\nrecognized the need for more stringent cost benefit policy and procedures during the time of the\npilot SSO implementation. To that end, the CIO issued Policy Memorandum 02-2001\nInstructions for Performing Cost Benefit Analyses on April 25, 2001 to improve these policies\nand procedures. Should DIRM decide to evaluate SSO again, these audit findings will be taken\ninto consideration and applied to the SSO project according to the applicable corporate\ninvestment planning, control and measurement process that FDIC has in place at that time. This\n\n\n\n                                               11\n\x0cwill include applicable policy and procedures associated with the communication and agreement\namongst FDIC divisions and offices.\n\n(2) Require the SSO project team to develop a BCA (Benefit Cost Analysis) for all available\nalternatives that meet the FDIC's system access needs and select the alternative that provides the\nbest use of the Corporation's funds.\n\nResponse: We partially concur with the recommendation. Since the April 25, 2001 issuance of\nPolicy Memorandum 02-2001, DIRM has procedures in place to address CBA\xe2\x80\x99s for all major IT\ndevelopment/initiative projects in a thorough and comprehensive manner. This would include a\nproject like SSO which occurred under older, generally less stringent DIRM policies. At this\ntime, there are no current plans to re-evaluate SSO or to proceed with further SSO expansion. If\nDIRM initiates a SSO effort again, the SSO project team will do a CBA against the available\nalternatives in selecting a product or tool and will follow all applicable Corporate cost-benefit\nguidance.\n\n(3) Require that the SSO project team perform a lessons learned analysis based on a post-\nimplementation assessment of the SSO pilot project to determine whether a corporate-wide\nimplementation of the SSO process is justified.\n\nResponse: We partially concur with this recommendation. Based on the pilot, the determination\nhas already been made not to proceed with further SSO expansion as stated in our general\ncomments. As such, no additional resources will be expended on the completed pilot for any\nfurther assessment. DIRM did prepare a lessons learned document following the pilot on May\n17, 2001. This document is attached. If DIRM initiates a SSO effort again, the SSO project\nteam will perform a lessons learned analysis based on their documented post-implementation\nassessment of the project.\n\nIf you have any questions concerning this response, please contact Rack Campbell, Chief ITES\non 516-1422.\n\nAttachments\n\ncc:    Vijay G. Deshpande, Director, OICM\n       Janet W. Roberson, Deputy Director, DIRM\n       Rack Campbell, Chief, DIRM\n       Ned Goldberg, Assistant Director, DIRM\n\n\n\n\n                                                12\n\x0c"